The Security Operations Center of Obrela Security Industries want to keep our customers continuously updated of the attack and provide threats mitigation and prevention guidance. SOC has increased its readiness and verbosity over anomalies in SMB traffic, communication to list of suspicious IP addresses and domains, and more.
The ransomware infection is originally initiated by visiting compromised websites.
As such, (a) it requires user interaction asking the user to visit the compromised web site, (b) then it is redirected to 1dnscontrol[.]com, (c) in order to download a fake Flash update (install_flash_player.exe).
This executable file (630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da) is the dropper for the malware that infects the target Workstation (the actual malware).
The resulting malware can propagate via SMB, having many similarities to the Petya/Nyetya attack.
It also utilizes a version of mimikatz security tool in order to steal credentials and use them to propagate to other hosts (sim. Nyetya).
Once a windows computer is infected, it reboots the computer, encrypts the hard drive’s master file table (MFT) and replaces the computer’s MBR with its own malicious code to show the ransomware note upon reboot. The encryption of the files is performed by DiskCryptor to do a full drive encryption. Keys are generated and protected by RSA 2048 public key.
As result of this attack, the computer is locked and shows a random note asking victims to pay a bitcoin amount to allow getting control back of their systems.
8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 C:\Windows\dispci.exe (diskcryptor client)
682ADCB55FE4649F7B22505A54A9DBC454B4090FC2BB84AF7DB5B0908F3B7806 C:\Windows\cscc.dat (x32 diskcryptor drv)
0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 C:\Windows\cscc.dat (x64 diskcryptor drv)
2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 (mimikatz-like x86)
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c (mimikat-like x64)